Feeds

Energy firms' security so POOR, insurers REFUSE to take their cash

They're turning down MULTI-MILLION pound contracts...

The essential guide to IT transformation

Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.

Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.

"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the Beeb. "They are all worried about their reliance on computer systems and how they can offset that with insurance."

Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering "safety net" insurance against breaches is not viable as a business proposition.

"We would not want insurance to be a substitute for security," Khudari explained.

Lloyd's operates a world renowned marketplace that offers a means to obtain commercial insurance for anything from container ships to large development projects. Insurance firms have been offering data breach insurance since at least 2009, if not earlier.

Specialist insurance firm Beazley’s client roster includes 30 per cent of the world’s top 200 oil and gas companies, as well as major banking and financial institutions. Last December the firm announced it had helped its clients recover from a combined total of 1,000 security breaches over the years. Most of Beazley’s services focus on incident response.

Separately, Allianz Global Corporate & Specialty recently unveiled a suite of products to protect businesses against issues that can arise from a serious cyber attack or data breach.

Industrial control plants at power utilities and other energy sector firms, as elsewhere, rely on SCADA (Supervisory Control and Data Acquisition) technology. These legacy systems are increasingly being connected to the internet, essentially to make them easier to manage remotely. At the same time, more and more security problems are being discovered by security researchers investigating industrial plant security in the wake of the infamous Stuxnet worm, which has made research into the formerly overlooked topic "sexy".

More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.

Jonathan Roach, principal security consultant at Context Information Security, told El Reg: "SCADA systems have not been patched in years for various reasons: isolation of SCADA networks making the process of patching awkward; lack of motivation to perform what is sometimes seen as a risky process to a critical plant component; terms of software support contracts".

With all this in mind, it's no great surprise to find underwriters turning down lucrative energy sector insurance contracts.

Chris McIntosh, chief exec of ViaSat UK, which provides security and secure communications for clients including US energy companies, said problems obtaining insurance are a symptom of a wider malaise.

"Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home," McIntosh said. "According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure. While previously, attacking national energy or resource infrastructure would have involved compromising dedicated communication networks, the modernisation of these networks has made them part of the internet and so more vulnerable than ever.

"However, insurance is only a plaster over these underlying weaknesses. Organisations need to act now to protect their networks and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur,” said McIntosh.

“Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm’s length, public trust will fall, and the resilience of the country’s critical national infrastructure will inevitably suffer as a result," he added.

Thales UK maintains the control systems for British Energy plants in the UK and is also involved in the building of the Hinkley Point B nuclear power station.

Tony Burton, critical national infrastructure protection business lead at Thales UK said ageing legacy systems at power plants need to be secured one way another. He suggested the insurance firms' stance has the potential to serve as a much needed wake-up call.

"Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today," Burton said. "Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats that can ‘leap the air-gap’ via process, people and physical (eg, USB stick) vectors.

"Energy firms and other areas of critical national infrastructure are beginning to face up to this challenge and are increasingly recognising that good security is good business.”

“The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies,” continued Burton. “However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise." ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.